def reidentify_with_deterministic(
project,
input_str,
surrogate_type=None,
key_name=None,
wrapped_key=None,
):
"""Deidentifies sensitive data in a string using deterministic encryption.
Args:
project: The Google Cloud project id to use as a parent resource.
input_str: The string to deidentify (will be treated as text).
surrogate_type: The name of the surrogate custom info type to used
during the encryption process.
key_name: The name of the Cloud KMS key used to encrypt ('wrap') the
AES-256 key. Example:
keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key
should be encrypted using the Cloud KMS key specified by key_name.
Returns:
None; the response from the API is printed to the terminal.
"""
import base64
# Import the client library
import google.cloud.dlp
# Instantiate a client
dlp = google.cloud.dlp_v2.DlpServiceClient()
# Convert the project id into a full resource id.
parent = f"projects/{project}"
# The wrapped key is base64-encoded, but the library expects a binary
# string, so decode it here.
wrapped_key = base64.b64decode(wrapped_key)
# Construct reidentify Configuration
reidentify_config = {
"info_type_transformations": {
"transformations": [{
"primitive_transformation": {
"crypto_deterministic_config": {
"crypto_key": {
"kms_wrapped": {
"wrapped_key": wrapped_key,
"crypto_key_name": key_name,
}
},
"surrogate_info_type": {
"name": surrogate_type
},
}
}
}]
}
}
inspect_config = {
"custom_info_types": [{
"info_type": {
"name": surrogate_type
},
"surrogate_type": {}
}]
}
# Convert string to item
item = {"value": input_str}
# Call the API
response = dlp.reidentify_content(
request={
"parent": parent,
"reidentify_config": reidentify_config,
"inspect_config": inspect_config,
"item": item,
})
# Print results
print(f"\tThe response from DLP API call for {input_str} is",
response.item.value)
return response.item.value
def reidentify_with_fpe(project, string, alphabet=None,
surrogate_type=None, key_name=None, wrapped_key=None):
"""Uses the Data Loss Prevention API to reidentify sensitive data in a
string that was encrypted by Format Preserving Encryption (FPE).
Args:
project: The Google Cloud project id to use as a parent resource.
item: The string to deidentify (will be treated as text).
alphabet: The set of characters to replace sensitive ones with. For
more information, see https://cloud.google.com/dlp/docs/reference/
rest/v2beta2/organizations.deidentifyTemplates#ffxcommonnativealphabet
surrogate_type: The name of the surrogate custom info type to used
during the encryption process.
key_name: The name of the Cloud KMS key used to encrypt ('wrap') the
AES-256 key. Example:
keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key
should be encrypted using the Cloud KMS key specified by key_name.
Returns:
None; the response from the API is printed to the terminal.
"""
# Import the client library
import google.cloud.dlp
# Instantiate a client
dlp = google.cloud.dlp.DlpServiceClient()
# Convert the project id into a full resource id.
parent = dlp.project_path(project)
# The wrapped key is base64-encoded, but the library expects a binary
# string, so decode it here.
import base64
wrapped_key = base64.b64decode(wrapped_key)
# Construct Deidentify Config
reidentify_config = {
'info_type_transformations': {
'transformations': [
{
'primitive_transformation': {
'crypto_replace_ffx_fpe_config': {
'crypto_key': {
'kms_wrapped': {
'wrapped_key': wrapped_key,
'crypto_key_name': key_name
}
},
'common_alphabet': alphabet,
'surrogate_info_type': {
'name': surrogate_type
}
}
}
}
]
}
}
inspect_config = {
'custom_info_types': [
{
'info_type': {
'name': surrogate_type
},
'surrogate_type': {
}
}
]
}
# Convert string to item
item = {'value': string}
# Call the API
response = dlp.reidentify_content(
parent,
inspect_config=inspect_config,
reidentify_config=reidentify_config,
item=item)
# Print results
print(response.item.value)
def reidentify_with_fpe(project,
string,
alphabet=None,
surrogate_type=None,
key_name=None,
wrapped_key=None):
"""Uses the Data Loss Prevention API to reidentify sensitive data in a
string that was encrypted by Format Preserving Encryption (FPE).
Args:
project: The Google Cloud project id to use as a parent resource.
item: The string to deidentify (will be treated as text).
alphabet: The set of characters to replace sensitive ones with. For
more information, see https://cloud.google.com/dlp/docs/reference/
rest/v2beta2/organizations.deidentifyTemplates#ffxcommonnativealphabet
surrogate_type: The name of the surrogate custom info type to used
during the encryption process.
key_name: The name of the Cloud KMS key used to encrypt ('wrap') the
AES-256 key. Example:
keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key
should be encrypted using the Cloud KMS key specified by key_name.
Returns:
None; the response from the API is printed to the terminal.
"""
# Import the client library
import google.cloud.dlp
# Instantiate a client
dlp = google.cloud.dlp.DlpServiceClient()
# Convert the project id into a full resource id.
parent = dlp.project_path(project)
# The wrapped key is base64-encoded, but the library expects a binary
# string, so decode it here.
import base64
wrapped_key = base64.b64decode(wrapped_key)
# Construct Deidentify Config
reidentify_config = {
'info_type_transformations': {
'transformations': [{
'primitive_transformation': {
'crypto_replace_ffx_fpe_config': {
'crypto_key': {
'kms_wrapped': {
'wrapped_key': wrapped_key,
'crypto_key_name': key_name
}
},
'common_alphabet': alphabet,
'surrogate_info_type': {
'name': surrogate_type
}
}
}
}]
}
}
inspect_config = {
'custom_info_types': [{
'info_type': {
'name': surrogate_type
},
'surrogate_type': {}
}]
}
# Convert string to item
item = {'value': string}
# Call the API
response = dlp.reidentify_content(parent,
inspect_config=inspect_config,
reidentify_config=reidentify_config,
item=item)
# Print results
print(response.item.value)
def reidentify_free_text_with_fpe_using_surrogate(
project,
input_str,
alphabet="NUMERIC",
surrogate_type="PHONE_TOKEN",
unwrapped_key="YWJjZGVmZ2hpamtsbW5vcA==",
):
"""Uses the Data Loss Prevention API to reidentify sensitive data in a
string that was encrypted by Format Preserving Encryption (FPE) with
surrogate type. The encryption is performed with an unwrapped key.
Args:
project: The Google Cloud project id to use as a parent resource.
input_str: The string to deidentify (will be treated as text).
alphabet: The set of characters to replace sensitive ones with. For
more information, see https://cloud.google.com/dlp/docs/reference/
rest/v2beta2/organizations.deidentifyTemplates#ffxcommonnativealphabet
surrogate_type: The name of the surrogate custom info type to used
during the encryption process.
unwrapped_key: The base64-encoded AES-256 key to use.
Returns:
None; the response from the API is printed to the terminal.
"""
# Import the client library
import google.cloud.dlp
# Instantiate a client
dlp = google.cloud.dlp_v2.DlpServiceClient()
# Convert the project id into a full resource id.
parent = dlp.project_path(project)
# The unwrapped key is base64-encoded, but the library expects a binary
# string, so decode it here.
import base64
unwrapped_key = base64.b64decode(unwrapped_key)
# Construct Deidentify Config
transformation = {
"primitive_transformation": {
"crypto_replace_ffx_fpe_config": {
"crypto_key": {
"unwrapped": {
"key": unwrapped_key
}
},
"common_alphabet": alphabet,
"surrogate_info_type": {
"name": surrogate_type
},
}
}
}
reidentify_config = {
"info_type_transformations": {
"transformations": [transformation]
}
}
inspect_config = {
"custom_info_types": [{
"info_type": {
"name": surrogate_type
},
"surrogate_type": {}
}]
}
# Convert string to item
item = {"value": input_str}
# Call the API
response = dlp.reidentify_content(
parent,
inspect_config=inspect_config,
reidentify_config=reidentify_config,
item=item,
)
# Print results
print(response.item.value)
def reidentify_with_fpe(project, string, alphabet=None,
surrogate_type=None, key_name=None, wrapped_key=None):
"""Uses the Data Loss Prevention API to reidentify sensitive data in a
string that was encrypted by Format Preserving Encryption (FPE).
"""
# Import the client library
import google.cloud.dlp
# Instantiate a client
dlp = google.cloud.dlp.DlpServiceClient()
# Convert the project id into a full resource id.
parent = dlp.project_path(project)
# The wrapped key is base64-encoded, but the library expects a binary
# string, so decode it here.
import base64
wrapped_key = base64.b64decode(wrapped_key)
# Construct Deidentify Config
reidentify_config = {
'info_type_transformations': {
'transformations': [
{
'primitive_transformation': {
'crypto_replace_ffx_fpe_config': {
'crypto_key': {
'kms_wrapped': {
'wrapped_key': wrapped_key,
'crypto_key_name': key_name
}
},
'common_alphabet': alphabet,
'surrogate_info_type': {
'name': surrogate_type
}
}
}
}
]
}
}
inspect_config = {
'custom_info_types': [
{
'info_type': {
'name': surrogate_type
},
'surrogate_type': {
}
}
]
}
# Convert string to item
item = {'value': string}
# Call the API
response = dlp.reidentify_content(
parent,
inspect_config=inspect_config,
reidentify_config=reidentify_config,
item=item)
return response.item.value
def reidentify_with_fpe(
project,
input_str,
alphabet=None,
surrogate_type=None,
key_name=None,
wrapped_key=None,
):
"""Uses the Data Loss Prevention API to reidentify sensitive data in a
string that was encrypted by Format Preserving Encryption (FPE).
Args:
project: The Google Cloud project id to use as a parent resource.
input_str: The string to deidentify (will be treated as text).
surrogate_type: The name of the surrogate custom info type to used
during the encryption process.
key_name: The name of the Cloud KMS key used to encrypt ('wrap') the
AES-256 key. Example:
keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key
should be encrypted using the Cloud KMS key specified by key_name.
Returns:
None; the response from the API is printed to the terminal.
"""
import google.cloud.dlp
dlp = google.cloud.dlp_v2.DlpServiceClient()
# Convert the project id into a full resource id.
parent = f"projects/{project}"
# The wrapped key is base64-encoded, but the library expects a binary string, so decode it here.
import base64
wrapped_key = base64.b64decode(wrapped_key)
reidentify_config = {
"info_type_transformations": {
"transformations": [{
"primitive_transformation": {
"crypto_replace_ffx_fpe_config": {
"crypto_key": {
"kms_wrapped": {
"wrapped_key": wrapped_key,
"crypto_key_name": key_name,
}
},
"common_alphabet": alphabet,
"surrogate_info_type": {
"name": surrogate_type
},
}
}
}]
}
}
inspect_config = {
"custom_info_types": [{
"info_type": {
"name": surrogate_type
},
"surrogate_type": {}
}]
}
item = {"value": input_str}
# Call the DLP API https://cloud.google.com/dlp/docs/pseudonymization
response = dlp.reidentify_content(
request={
"parent": parent,
"reidentify_config": reidentify_config,
"inspect_config": inspect_config,
"item": item,
})
return response.item.value
